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Abstract. S-Boxes are important security components of block ciphers. 
We provide theoretical results on necessary or sufficient criteria for an 
(invertible) 4-bit S-Box to be weakly APN. Thanks to a classification 
of 4-bit invertible S-Boxes achieved independently by De Canniere and 
Leander-Poschmann, we can strengthen our results with a computer- 
aided proof. We also propose a class of 4-bit S-Boxes which are very 
strong from a security point of view. 



1 Introduction 

We consider block ciphers acting on a vector space (Fa)". It is important to 
identify conditions on the components of the cipher that may ensure its security. 
There are many competing notions of security, hence several kinds of security 
criteria, and some of them focus on the role of the S-Boxes. For a large class 
of nowadays block ciphers, the S-Boxes are bijective vectorial Boolean functions 
/ : (F 2 ) m -> (F 2 ) m , hence they are functions from the finite field (F 2 ) m to itself. 

In this paper we focus on 4-bit S-Boxes, as used for example in SERPENT 
(PJ) and PRESENT (|lj), although we present also a theorem for the general 
case. Several security criteria are affine-invariant and this justifies the work done 
to achieve the classification of 4-bit S-Boxes in affine-equivalence classes, as done 
for example by De Canniere ([8]) and Leander and Poschmann ([9]) (these clas- 
sifications have been achieved independently). 

There is a new security criteria for S-Boxes which is affine-invariant, the 
weakly differential uniformity. Particularly interesting is the concept of weakly 
APN. We determine several conditions (some computational and some theoreti- 
cal) , which are either sufficient or necessary for a 4-bit vectorial Boolean function 
to be weakly APN. 

Our paper is structured as follows. In Section. [21 we introduce and moti- 
vate the notion of weakly APN function, highlighting the case of dimension 4. 
In Section. [3] we present our theoretical results, including a theorem for any di- 
mension. In Section. S] we discuss our computational results. Finally, in Section. 
[5] we provide further computations that may be interesting and we draw our 
conclusions. 



2 



2 Preliminaries on weakly APN functions 

Without loss of generality, in the sequel we consider only Boolean functions 
/ : (F 2 ) m -> (F 2 ) m such that /(0) = 0. We also write f u (x) := f(x + u) + f{x) 
(the derivative of /) and Im(/) = {f(x) \ x £ (F 2 ) m } (the image of /). 

A notion of non-linearity for S-Boxes that has received a lot of attention is 
the following. 

Definition 1. The function f is (5-differentially uniform if for any u G (F2)™ 1 \ 
{0} and for any v E (F 2 ) m , |{a; G (F 2 ) m : f u {x) = v}\ < S . 

If f is 2 -differentially uniform, then it is called an Almost Perfectly Nonlinear 
(APN) function. 

The property of being (5-differentially uniform is an affine- invariant. W.r.t. diff- 
entially uniformity, the best S-Boxes are the APN S-Boxes. APN functions are 
indeed a very hot research topic (see for instance the recent contributions [3] 
and <B\). Unfortunately, for some even dimensions, no APN permutation exists. 
This is the case for dimension m = 4, which has cryptographic significance at 
least for SERPENT and PRESENT. In this case, the best we can have is 5 = 4. 

There is a natural generalization of differential uniformity presented recently 
in [7], which we recall in the following definition. 

Definition 2. The function f is weakly (5-differentially uniform if for any u 6 

(F 2 ) m \ {0} we have |Im(/ u )| > 2 m - 1 /5. 

If f is weakly 2 -differentially uniform, then it is called a weakly Almost 
Perfectly Nonlinear (weakly APN) function. 

By [7], §4, Fact 3, a (5-differentially uniform map is weakly ^-differentially uni- 
form, and is easy to check that weak ^-differential uniformity is affine-invariant. 

The significance for the previous definition lies in [7], Theorem 4.4. To ap- 
preciate it we need another definition. 

Definition 3. A function f is strongly ^-anti-invariant if for any two subspaces 
V, W < (F 2 ) m such that f{V) = W then either dim(V) = Amv{W) < m - I or 
V = W = (F 2 ) m . 

An iterated block cipher is obtained by the composition of several rounds 
(or round functions), i.e., key-dependent permutations of the message/cipher 
space. To avoid potential weaknesses of a given cipher C, it is desirable that 
the permutation group -Too(C) generated by its round functions with the key 
varying in the key space is primitive (for instance, a way to construct a trap- 
door using imprimitivity is presented in pT|). Translation-based ciphers (see [7], 
Def. 3.1) form an interesting class of iterated block ciphers containing AES[10 , 
SERPENT, PRESENT. According to Theorem. 4.4 in [7], if C is a translation- 
based cipher and each brick 7' of every parallel S-Box 7 used in the proper 
round under consideration is both weakly 2 r -differentially uniform and strongly 
r-anti-invariant for some r with 1 < r < m/2, then r'oo(C) is primitive. It may 
seem that Theorem 4.4 in [7] requires too strong conditions in order to ensure 
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primitivity, but indeed they turn out to be quite natural, as shown in [7], §5. In 
the case of 4-bit S-Boxes, we have only two possibilities: r = 1, requiring every 
7' to be both strongly 1-anti-invariant (which always holds if it is maximally 
non-linear, see for instance [7J, footnote 4 on p. 347) and weakly APN; or r = 2, 
requiring every 7' to be both weakly 4-differentially uniform (which always holds 
if it is 4-differentially uniform) and 2-strongly-anti-invariant. 

3 Theoretical results on weakly APN functions 

Our first result is to show that for 4-differentially uniform functions the case 
r = 2 of Theorem 4.4 in [7] is just a sub-case of the case r = 1. 

Proposition 1 Let f : (F2) 4 — > (F 2 ) 4 be a Boolean function such that 

(i) f is 4-differentially uniform 

(ii) f is strongly 2 -anti- invariant. 
Then f is weakly APN. 

Proof. Assume by contradiction that Im(/ U )| < 4. Then from (i) we deduce that 
\fu 1 (u)\ = 4 for evei T V € Im(/ U ). Hence we have /^(/(u)) = {0, u,x,u + x} 
for some x, in particular /„ (/(it)) is a 2-dimensional vector subspace. On the 
other hand, f u {x) — f u (u) implies f(x + u) = f{u) — f{x). It follows that 
/({0, u, x, u + x}) is a 2-dimensional vector subspace, contradicting (ii). 

□ 

In other words, Proposition [T] provides some sufficient conditions for a 4-bit 
S-Box to be weakly APN. Other sufficient conditions are presented in the next 
proposition and are based on the following non-linearity measures: 

n t (f) - \{v £ (F 2 ) m \ {0} : deg(< f,v>) = i}\ (1) 

and 

n(/)= max |{« 6 (F 2 r \{0}:deg(< /«,«>)= 0}|. (2) 
«e(F 2 ) m \{o} 

Proposition 2 Let f : (F2) 4 — ► (F2) 4 be a Boolean function such that n(f) = 0. 
Then f is weakly APN. 

Proof. Let (F 2 ) 4 = {x x , ■ ■ .,x 16 } and given u G (F 2 ) m \ {0} let M = {m tj ) e 
(F 2 ) 4x16 with rriij := (fu)i(%j)- By definition, / is weakly APN if and only if 
|Im(/„)| > 4, hence if and only if M has more than 4 distinct columns. 

Assume by contradiction that M has n < 4 distinct columns and let M' e 
(F 2 ) 4xn be the corresponding submatrix. 

If M' has rank 4, then we may write (1, 1, 1, 1) as a linear combination of the 
rows of M': 

(1, 1, 1, 1) = aM[ + bM' 2 + cM'z + dM' 4 . 

Since all the other columns of M are equal to the columns of M', we may write 
(1, . . . , 1) G (F 2 ) 16 as the same linear combination of the rows of M: 

(!,...,!) = aMi + bM 2 + cM 3 + dM 4 . 
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Hence the function < /„, (a, 6, c, d) > is the constant 1, contradiction. 

If instead M' has rank < 3, then we may write (0, 0, 0, 0) as a nonzero linear 
combination of the rows of M': 

(0, 0, 0, 0) = aM[ + bM' 2 + cM' z + dM' A . 

Since all the other columns of M are equal to the columns of M', we may write 
(0, . . . , 0) G (F2) 16 as the same linear combination of the rows of M: 

(0, . . . , 0) = aMi + bM 2 + cM 3 + dM 4 . 

Hence the function < /„, (a, 6,c, d) > is the constant 0, contradiction. 

□ 

The following partial converse to Proposition [2] gives necessary conditions 
and holds for any m > 2. 

Theorem 1. Let f : (F 2 ) m -> (F 2 ) m be a (weakly) APN function. 
Then h(f) < 1. 

Proof. Let / = (fx, / 2) . . . , f m ) with fi : (F 2 ) m — > F 2 and assume by contradic- 
tion that both < f u ,vi > and < f u ,v% > are constant for some u, v\ 7^ v 2 G 
(F2) m \ {0}. Up to a linear transformation sending v\ to (1, 0, 0, . . . , 0) and V2 to 
(0, 1, 0, . . . , 0), without loss of generality we may assume that both (f u )i — {fi) u 
and (fu)2 = (f2) u are constant. It follows that |Im(/„)| < 2 m_2 and / is not 
weakly APN, contradiction. 

□ 

As an application of Theorem [TJ we obtain the following: 

Proposition 3 Let f : (F2) 4 — ► (F2) 4 be a weakly APN permutation. 
Then deg(/) = 3 and n 3 (f) G {12, 14, 15}. 

Proof. It is well-known that degf < 3 (see for instance [15]). If 

\{v& (F 2 ) 4 \ {0} : deg(< /, V >)<2}|<5 

then our claim holds, since {v G (F 2 ) 4 \ {0} : deg(< /, v >) < 2} U {0} is a vector 
subspace of (F 2 ) 4 . 

Let / = / 2 , /a, fi) with fi : (F 2 ) 4 — > F 2 and assume by contradiction that 
deg(iS) < 2 for 6 different linear combinations S — J2i=i v ifi- From the basic 
theory of quadratic Boolean functions (see for instance [6], §2.2), it follows that 
the derivative S u is constant for every u G V(S) C (F2) 4 , where V(S) is a vector 
subspace of dimension if and only if S is bent, 4 if and only if S is linear (affine), 
and 2 otherwise. Now, S is not bent since it is balanced (see for instance [T]) and 
bent functions are never balanced (see for instance 12]). Thus dimV(S) > 2 
for every S and \V(S) \ {0}| > 3, in particular 6 sets V(S) \ {0} C (F 2 ) 4 \ {0} 
cannot be disjoint. Hence there is u G (F2) 4 \ {0} and two different non-zero 
linear combinations S\ and S2 such that both (Si) and (»S I 2) U are constant and 
this contradicts Theorem Q] 

□ 
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4 Computational results on weakly APN function 

The problem of classifying (invertible) S-Boxes / : (F2) m — > (F2)" 1 (w.r.t. affine- 
equivalence) was solved in [819] in the case m = 4 and has been recently checked 
in 13 14 . By a direct check on the class representatives, we may draw a series 
of consequences, that we call Facts. 

First of all, we see that three of our theoretical results cannot be inverted, 
as follows. 

Fact 1 The converse of Proposition^ does not hold. 

Proof. (0, 1, 2, 13, 4, 15, 14, 7, 8, 3, 5, 9, 10, 6, 12, 11) is weakly APN but is not 4- 
diffcrentially uniform. □ 

Fact 2 The converse of Proposition^ does not hold. 

Proof. (0, 1,2, 13,4,15, 14,7,8,3,5,9, 10,6, 12, 11) is weakly APN but n = 1. □ 
Fact 3 The converse of Theorem^ does not hold. 

Proof. For / = (0, 1, 2, 7, 4, 10, 15, 9, 8, 3, 13, 14, 12, 5, 6, 11) we have n(f) = 1 but 
/ is not weakly APN. □ 
Next, we can strengthen Proposition |3J 

Fact 4 Let f : (F 2 ) 4 ->■ (F 2 ) 4 be a weakly APN permutation. Then deg(/) = 3 
and n 3 (/) e {14, 15}. 

Unfortunately, the previous fact cannot be inverted: 
Fact 5 The converse of Fact^Q does not hold. 

Proof. For / = (0, 1, 2, 7, 4, 10, 15, 9, 8, 3, 13, 14, 12, 5, 6, 11) we have deg(/) = 3 
and m(f) = 14, but / is not weakly APN. □ 
Finally, we want to provide some sufficient conditions (for / to be weakly 
APN), involving also the following classical concept of non-linearity: 

Definition 4. 

Lin(/)= max I < /, b > w (a) I , 

where W denotes the Walsh coefficient (see for instance (1) in J3[). 

Since for m = 4 we have that the best f's have Lin(/) = 8, we find of interest 
our following result: 

Fact 6 Let f : (F2) 4 — > (F2) 4 be a Boolean permutation such that 

Lin(/) = 8, f is A — differentially uniform, n^{f) > 14. 
Then f is weakly APN. 

Regrettably, the assumptions of Fact [6] cannot be weakened. We provide two 
(affine- independent) counterexamples: 

- with / = (0, 1, 2, 12, 4, 13, 11, 10, 8, 15, 5, 9, 6, 14, 7, 3) we have Lin(/) = 8 and 
n 3 (/) = 14, but / is not weakly APN, 

- with / = (0, 1, 2, 12, 4, 6, 14, 5, 8, 3, 13, 10, 9, 7, 15, 11) we have that / is 
4-differentially uniform and that n^(f) = 14, but again / is not weakly APN. 
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5 More computational results and conclusions 

Let we recall from [9] the further measures of non-linearity: 

- Lini(/)=max a,&e(F 2 )"» {|< /, b > w (a)}| , 

w(a)— w(6) — 1 

- DiffxCf) = max a , be(F2)m {\f~Hb)\}- 

w(a)— w(b) — 1 

Then we introduce a new class of S-Boxes suitable for block ciphers construction: 

Definition 1 We say that a Boolean permutation f : (F2) 4 — > (F2) 4 is a strong 
S-Box if f is weakly APN, A- differentially uniform, and 

Lin(/)=8, Diff 1 (/) = Lim(/) = 4, n 3 (/)>14. 

Morever, we say that f is very strong if it is strong and strongly 2- anti-invariant. 

Note that a very strong function is in particular both optimal ([9], Def. 1) and 
Serpent-type ([9], Def. 2), and also it satisfies Theorem. 4.4 of [7]. A direct 
computation (see [13j) allows us to conclude: 

Fact 7 There are 55296 strong S-Boxes and 2304 very strong ones. 

Remark 1. As in the rest of the paper, all statements in this section assume 
/(0) = 0. So Fact [7] implies that there are actually 55296* 16 = 884736 invertible 
4-bit S-Boxes equivalent via a translation to strong S-Boxes, therefore sharing 
their security robustness. The same goes for 2304*16 = 36864 S-Boxes equivalent 
to very strong S-Boxes. 

Following [9], we have tested the properties of the S-Boxes used in SERPENT, 
denoted by So, Si, . . . , S7 (for details see [13]), and we get: 

Fact 8 The S-Boxes S3, S4, S5, S7 are strong. None of the Si's is very strong. 

In conclusion, we have considered the link between the recent notion of weakly 
APN function and several more traditional non-linearity properties, such as dif- 
ferential uniformity, algebraic degree and classical non-linearity. We obtained 
both theoretical and computational results. In particular, sufficient conditions 
for an S-Box to be weakly APN are presented in Propositions [T] and [2] and Fact 
[6j while necessary ones can be found in Theorem [lj Proposition [3] and Fact |H 

6 Acknowledgements 

This research has been supported by TELSY S.p.A., MIUR "Rientro dei cervelli" , 
GNSAGA of INdAM and MIUR Cofin 2008 - " Geometria delle varieta algebriche 
e dei loro spazi di moduli" (Italy) . A preliminary version of this work has been 
available online as arXiv:1102.3882vl since February 17, 2011. 



7 



References 

1. C. Adams and S. Tavares, The structured design of cryptographically good S-boxes, 
J. Cryptology 3 (1990), no. 1, 27-41. 

2. R. J. Anderson and E. Biham and L.R. Knudsen, Serpent: A New Block Cipher 
Proposa.1,1998, p. 222-238, Proc. of FSE 199, LNCS,1372. 

3. Y. Aubry, G. McGuire, and F. Rodier, A few more functions that are not APN 
infinitely often, Finite fields: theory and applications, 23-31, Contemp. Math., 518, 
Amer. Math. Soc., Providence, RI, 2010. 

4. A. Bogdanov and L. R. Knudsen and G. Leander and C. Paar and A. Poschmann 
and M. Robshaw and Y. Seurin and C. Vikkelsoe, PRESENT: An Ultra-Lightweight 
Block Cipher, Proc. of CHES 2007, 2007,LNCS 7427, p. 450-466, 

5. C. Bracken, E. Byrne, N. Markin, and G. McGuire, Fourier spectra of binomial 
APN functions, SIAM J. Discrete Math. 23 (2009), no. 2, 596-608. 

6. A. Canteaut, P. Charpin, and G. M. Kyureghyan, A new class of monomial bent 
functions, Finite Fields Appl. 14 (2008), no. 1, 221-241. 

7. A. Caranti, F. Dalla Volta, and M. Sala, On some block ciphers and imprimitive 
groups, Appl. Algebra Engrg. Comm. Comput. 20 (2009), no. 5-6, 339-350. 

8. C. De Canniere, Analysis and Design of Symmetric Encryption Algorithms, PhD 
thesis, Katholieke Universiteit Leuven, 2007. 

9. G. Leander and A. Poschmann, On the classification of 4 bit S-boxes, LNCS 4547, 
159-176. 

10. National Institute of Standards and Technology, The Advanced Encryption Stan- 
dard, (FIPS) 197, 2001 

11. K. G. Paterson: Imprimitive permutation groups and trapdoors in iterated block 
ciphers, LNCS 1636 (1999), 201-214. 

12. B. Preneel, W. Van Leekwijck, L. Van Linden, R. Govaerts, and J. Vandewalle: 
Propagation characteristics of Boolean functions, LNCS 473 (1991), 161-173. 

13. V. Pulice: Security classification of 4-bit Boolean permutations, Master Thesis, 
Univ. of Trento (2011). 

14. M. J. Saarinen, Cryptographic Analysis of All 4 x 4~Bit S-Boxes, Proc. of SAC 
2011, Toronto, Canada. 

15. W. Zhang, C.-K. Wu, and S. Li: Construction of cryptographically important 
Boolean permutations, Appl. Algebra Engrg. Comm. Comput. 15 (2004), no. 3- 
4, 173-177. 



